Restricting a privileged container? (keep mknod)

[Lombra]

Hi,

I was going to run an unprivileged container, but the only problem was the lack of mknod access. How much can I lock a privileged container down? The goal is essentially an unprivileged container with mknod access. Can I just configure the container to map UIDs back to the unprivileged range on the host? If yes, what differentiates it from an unprivileged container after that? If no, does that just break mknod access again?

In case it makes a difference, I specifically need to create input devices.

 

[dietmar]

There is a container feature called "Create Device Nodes", which corresponds to mknod ...

(Container/Options/Features)

 

[Lombra]

That's restricted to creating FIFO devices, as far as I understand.